Opened 8 weeks ago
Last modified 8 weeks ago
#62604 new enhancement
Prevent false-positive in validate_callback() in REST API
Reported by: | Takahashi_Fumiki | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | trunk |
Component: | REST API | Keywords: | has-patch |
Focuses: | Cc: |
Description (last modified by )
Related: https://github.com/WP-API/docs/issues/194
'type' => 'string',
'validate_callback' => function( $should_be_date ) {
return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date );
}
Above validation expects the parameter should be 'YYYY-MM-DD' format, but actually any string as "valid" because preg_match()
returns 0(falsy value) for mismatch.
So, validation priority should be is_wp_error()
-> "is true?" -> "else, invalid."
Concerns:
strpos()
return 0 for match.
Change History (2)
This ticket was mentioned in PR #7914 on WordPress/wordpress-develop by @Takahashi_Fumiki.
8 weeks ago
#1
- Keywords has-patch added
Note: See
TracTickets for help on using
tickets.
Related: https://github.com/WP-API/docs/issues/194
'type' => 'string', 'validate_callback' => function( $should_be_date ) { return preg_match( '/^\d{4}-\d{2}-\d{2}$/u', $should_be_date ); }
Above validation expects the parameter should be 'YYYY-MM-DD' format, but actually any string as "valid" because
preg_match()
returns 0(falsy value) for mismatch.So, validation priority should be
is_wp_error()
-> "is true?" -> "else, invalid."Concerns:
strpos()
return 0 for match. This result as false-negative in terms of backward-compatibility.https://core.trac.wordpress.org/ticket/62604#ticket
Trac ticket: